Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.

The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.

Full details of the vulnerability were first unveiled Thursday at the Black Hat conference in Las Vegas by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. Their man-in-the-middle HTTPS crypto attack involves watching "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site," according to exploit details provided by Prado to DHS. "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response," he said.

With repetition, an attacker can guess the exact secret. "In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests," said Prado. "A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command and control center."

Prado and his fellow researchers have promised to release a related tool to allow businesses to test whether their sites are susceptible to a BREACH-style attack.

Their attack is the latest exploit that demonstrates that so-called secure HTML pages aren't always fully secure. "When you're designing security protocols, you can implement cryptography properly, but you cannot always provide perfect confidentiality," said Prado. "When you mix a lot of protocols into the stack, there might be other layers in the stack that might be overly permissive, and then you might be able to compromise the entire trust relationship."

On the upside, the vulnerabilities outlined by the trio would need to be targeted on a site-by-site basis. For any compromised site, visitors would then be at risk of having their secret details compromised.

But Prado said that numerous sites are at risk, and that crafting a related HTTPS fix would likely be "nontrivial." Still, the DHS advisory details mitigation strategies that businesses can employ, which include disabling HTTP compression such as gzip, as well as randomizing the secrets being transmitted in any particular request.

"HTTPS remains a good method of transmitting data online, but it certainly isn't perfect," AppRiver security analyst Jon French told the British Computer Society. "'Many researchers and hackers are constantly trying to find flaws within the HTTPS protocol precisely because so many people rely on it. As a result, while BREACH is the latest tool for intercepting HTTPS traffic, it's not the only one out there."

Still, the BREACH exploit vector carries caveats. "Researchers say that attackers must have access to passively monitor the target's Internet traffic," French said. "In most cases, monitoring would have to be done locally on the same network -- and that adds a layer of difficulty for hackers."

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.